| 1 |
On Wed, 30 Dec 2015 07:34:52 +1000 Hans wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> Is it possible to fully encrypt a Gentoo system as can be done with |
| 5 |
> Fedora, Suse, Arch Linux, Debian and Ubunto without using a unencrypted |
| 6 |
> USB boot stick or unencrypted /boot partition? |
| 7 |
> |
| 8 |
> If yes, where can I find instructions that really work on a BIOS only |
| 9 |
> box without UEFI, EFI, systemd using EXT4 file system? |
| 10 |
|
| 11 |
The easiest way is to use ATA password for your drive (go into |
| 12 |
BIOS menu for that or use some live image capable of that, e.g. |
| 13 |
any Linux with hdparm or mhdd). |
| 14 |
|
| 15 |
If you want to use Linux encryption (e.g. LUKS), you have to have |
| 16 |
some piece of data unencrypted, because bios/uefi needs to load some |
| 17 |
code which will be able to run kernel and decrypt your drive. This |
| 18 |
peace may be kernel + initrd on efi partition or boot partition, usb |
| 19 |
stick and so on. Of course it is possible to boot from external |
| 20 |
media (PXE, CD/DVD, USB stick) and have whole HDD/SSD encrypted. |
| 21 |
|
| 22 |
Though I see little point in whole / encryption. What is the |
| 23 |
point to encrypt /usr, /lib, /bin, /sbin? Just do this |
| 24 |
to /home, /var and other sensitive pieces. |
| 25 |
|
| 26 |
Best regards, |
| 27 |
Andrew Savchenko |
Archives